dhcpcd/src/if-options.c:2133 Heap Buffer Overflow in parse_option

### dhcpcd/src/if-options.c:2133 Heap Buffer Overflow in parse_option

#### Description:
When dhcpcd parses a crafted configuration file, it may perform an out-of-bounds heap write in "parse_option()" (src/if-options.c:2133).
The supplied config contains truncated option lines, but instead of safely rejecting the line, dhcpcd probably reaches a memcpy in "parse_option()" and writes 143 bytes past the end of a 72-byte heap allocation, triggering an heap-buffer-overflow and abort

#### Output:

asan-build:
<details>
  <summary>show full -click to expand</summary>
  
```bash
unknown option: i�
unknown option: no
unknown option: leasetivsio6
unknown option: broadcare
unknown option: noi1ic
unknown option: statid
authtoken requires a realm
unknown option: stati^
static assignment required
unknown option: q3AAAAcAAAAAtati�
static assignment required
unknown option: nop1
unknown option: s
unknown option: sta`ic
=================================================================
==27115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x507000001aa8 at pc 0x5595636fe0d2 bp 0x7fff17aecb90 sp 0x7fff17aec350
WRITE of size 143 at 0x507000001aa8 thread T0                                                                                                              
    #0 0x5595636fe0d1 in __asan_memcpy (/media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/dhcpcd/dhcpcd_asan/src/dhcpcd+0xe50d1) (BuildId: a2cd647b862a0905857412ad54c9950619ec029b)
    #1 0x55956378775e in parse_option /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/dhcpcd/dhcpcd_asan/src/if-options.c:2133:4
    #2 0x5595637735d3 in parse_config_line /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/dhcpcd/dhcpcd_asan/src/if-options.c:2605:10
    #3 0x5595637735d3 in read_config /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/dhcpcd/dhcpcd_asan/src/if-options.c:2940:3
    #4 0x55956375654a in main /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/dhcpcd/dhcpcd_asan/src/dhcpcd.c:2191:8
    #5 0x7f1197844ca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7f1197844d64 in __libc_start_main csu/../csu/libc-start.c:360:3
    #7 0x559563660880 in _start (/media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/dhcpcd/dhcpcd_asan/src/dhcpcd+0x47880) (BuildId: a2cd647b862a0905857412ad54c9950619ec029b)

0x507000001aa8 is located 0 bytes after 72-byte region [0x507000001a60,0x507000001aa8)
allocated by thread T0 here:                                                                                                                               
    #0 0x559563700970 in reallocarray (/media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/dhcpcd/dhcpcd_asan/src/dhcpcd+0xe7970) (BuildId: a2cd647b862a0905857412ad54c9950619ec029b)
    #1 0x55956378758e in parse_option /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/dhcpcd/dhcpcd_asan/src/if-options.c:2113:11
    #2 0x5595637735d3 in parse_config_line /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/dhcpcd/dhcpcd_asan/src/if-options.c:2605:10
    #3 0x5595637735d3 in read_config /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/dhcpcd/dhcpcd_asan/src/if-options.c:2940:3
    #4 0x55956375654a in main /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/dhcpcd/dhcpcd_asan/src/dhcpcd.c:2191:8
    #5 0x7f1197844ca7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/dhcpcd/dhcpcd_asan/src/dhcpcd+0xe50d1) (BuildId: a2cd647b862a0905857412ad54c9950619ec029b) in __asan_memcpy
Shadow bytes around the buggy address:
  0x507000001800: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
  0x507000001880: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x507000001900: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x507000001980: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x507000001a00: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
=>0x507000001a80: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
  0x507000001b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x507000001b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x507000001c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x507000001c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x507000001d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27115==ABORTING


```

</details>

#### Environment

    OS: tested at 6.12.25-1kali1 (2025-04-30) x86_64 GNU/Linux ;
    Compiler version: Clang 19.1.7 ;
    Build-opts: -g -O1 -fno-omit-frame-pointer -fsanitize=address,undefined ;
    CPU type: x86_64 ;
    dhcpcd - commit hash 117742d755b591764036dd4218f314f748a3d2b7 ;

#### Additional context

link to the sample (github-url):

[if-options_c_2133](https://github.com/sigdevel/pocs/blob/main/res/dhcpcd/1/if-options_c_2133/if-options_c_2133)

#### Screenshots

![screen](https://github.com/sigdevel/pocs/blob/main/res/dhcpcd/1/if-options_c_2133/vanilla_2025-12-28_22-27.png?raw=true "screen")

![screen](https://github.com/sigdevel/pocs/blob/main/res/dhcpcd/1/if-options_c_2133/asan_2025-12-28_22-26.png?raw=true "screen")





Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

dhcpcd/src/if-options.c:2133 Heap Buffer Overflow in parse_option #573